| name | Next.js Security Scan |
| description | Comprehensive security vulnerability scanner for Next.js and TypeScript/JavaScript projects. Detects OWASP Top 10 vulnerabilities, XSS, injection flaws, authentication issues, hardcoded secrets, and Next.js-specific security problems. Audits dependencies for known CVEs and generates actionable security reports. |
Next.js Security Scan Skill
This skill enables comprehensive security scanning of Next.js and TypeScript/JavaScript projects based on OWASP guidelines and industry best practices.
When to Use This Skill
- Security audits of Next.js applications
- Code review for security vulnerabilities
- Pre-deployment security checks
- Dependency vulnerability assessment
- Detecting hardcoded secrets and credentials
Scan Types
1. Quick Scan
Fast scan focusing on critical vulnerabilities:
- Hardcoded secrets and API keys
- Dangerous function usage (
dangerouslySetInnerHTML, eval)
- Missing authentication in Server Actions
- Known vulnerable dependencies
2. Full Scan
Comprehensive security assessment covering:
- All OWASP Top 10:2025 categories
- XSS vulnerability patterns
- Injection vulnerabilities (SQL, NoSQL, Command)
- Authentication and authorization flaws
- Security misconfigurations
- Cryptographic failures
- Next.js-specific vulnerabilities
- Dependency audit (CVE check)
- Environment variable exposure
3. Targeted Scan
Focus on specific vulnerability categories:
--xss - Cross-site scripting patterns--injection - SQL/NoSQL/Command injection--auth - Authentication/authorization issues--secrets - Hardcoded credentials--deps - Dependency vulnerabilities--nextjs - Next.js specific issues
Scan Procedure
Step 1: Project Discovery
- Identify project type (Next.js App Router, Pages Router, or plain React)
- Locate configuration files (
next.config.js, package.json, .env*)
- Map the codebase structure
Step 2: Dependency Audit
Run the dependency audit script:
./scripts/dependency-audit.sh
Or manually:
npm audit --json
yarn audit --json
Step 3: Secret Scanning
Scan for hardcoded secrets:
python scripts/secret-scanner.py /path/to/project
Important: Environment File Handling
- By default, real
.env files are SKIPPED (.env, .env.local, .env.production, etc.)
- These files contain actual secrets and should not be in version control
- Only
.env.example and .env.template files are analyzed for documentation quality
- Use
--include-env-files flag only if explicitly requested by user
The scanner will:
- Scan source code for hardcoded secrets
- Analyze
.env.example templates to check:
- Which sensitive variables are documented
- Whether variables have descriptions (comments)
- If placeholder values look like real secrets
- Suggestions for missing common variables
Step 4: Pattern Analysis
For each file in the codebase, check against patterns in:
references/xss-patterns.md - XSS vulnerabilitiesreferences/injection-patterns.md - Injection flawsreferences/auth-vulnerabilities.md - Auth issuesreferences/nextjs-specific.md - Next.js vulnerabilities
Step 5: Report Generation
Generate a security report using:
assets/report-template.md - Report structure
Severity Classification
| Severity | Description | Action Required |
|---|
| CRITICAL | Exploitable vulnerability with severe impact | Immediate fix required |
| HIGH | Significant security risk | Fix before deployment |
| MEDIUM | Potential security issue | Fix in next release |
| LOW | Minor security concern | Consider fixing |
| INFO | Security best practice suggestion | Optional improvement |
Key Files to Scan
Always Check
**/*.ts, **/*.tsx, **/*.js, **/*.jsx - Source codenext.config.js, next.config.mjs - Next.js configurationpackage.json, package-lock.json - Dependenciesmiddleware.ts, middleware.js - Middleware security
Environment Files
.env.example, .env.template - SCAN for template analysis.env, .env.local, .env.production - SKIP by default (contain real secrets)
Note: Real .env files should never be committed to version control. The scanner analyzes .env.example templates to ensure proper documentation of required variables.
High Priority Locations
app/api/**/* - API routes (App Router)pages/api/**/* - API routes (Pages Router)**/actions.ts, **/*-actions.ts - Server Actionslib/auth*, utils/auth* - Authentication code**/middleware.* - Middleware files
Output Format
Findings should be reported as:
[SEVERITY] Category: Description
File: path/to/file.ts:lineNumber
Code: <relevant code snippet>
Risk: <explanation of the security risk>
Fix: <recommended remediation>
Integration with CI/CD
This skill can generate output compatible with:
- GitHub Security Advisories
- SARIF format for GitHub Code Scanning
- JSON for custom integrations
References
Load additional context as needed:
references/owasp-top-10.md - OWASP Top 10:2025 quick referencereferences/xss-patterns.md - XSS detection patternsreferences/injection-patterns.md - Injection vulnerability patternsreferences/auth-vulnerabilities.md - Authentication security patternsreferences/nextjs-specific.md - Next.js specific vulnerabilities and CVEs
